From aa0525331d7f146157d7ee6598112e9bf1df8508 Mon Sep 17 00:00:00 2001
From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com>
Date: Wed, 17 Jun 2026 03:15:35 -0500
Subject: [PATCH] deploy(updater): roll non-root GX10 image

---
 .../deployment-updatecenter-web.json          | 22 +++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/apps-gx10/fc-updater/deployment-updatecenter-web.json b/apps-gx10/fc-updater/deployment-updatecenter-web.json
index e4c3524..b857454 100644
--- a/apps-gx10/fc-updater/deployment-updatecenter-web.json
+++ b/apps-gx10/fc-updater/deployment-updatecenter-web.json
@@ -195,9 +195,17 @@
                 "value": "26843545600"
               }
             ],
-            "image": "localhost/fc-updater-web:gx10-v1",
-            "imagePullPolicy": "Never",
-            "livenessProbe": {
+            "image": "localhost/fc-updater-web:v20260617-sec5-913c6a9",
+            "imagePullPolicy": "Never",
+            "securityContext": {
+              "allowPrivilegeEscalation": false,
+              "capabilities": {
+                "drop": [
+                  "ALL"
+                ]
+              }
+            },
+            "livenessProbe": {
               "failureThreshold": 3,
               "initialDelaySeconds": 30,
               "periodSeconds": 30,
@@ -244,7 +252,13 @@
         "dnsPolicy": "ClusterFirst",
         "restartPolicy": "Always",
         "schedulerName": "default-scheduler",
-        "securityContext": {},
+        "securityContext": {
+          "fsGroup": 1654,
+          "fsGroupChangePolicy": "OnRootMismatch",
+          "runAsGroup": 1654,
+          "runAsNonRoot": true,
+          "runAsUser": 1654
+        },
         "terminationGracePeriodSeconds": 30,
         "volumes": [
           {